1. Field of the Invention
The present invention relates to a test method of one chip micro-computer for testing internal state of the one chip micro-computer having at least a CPU and a ROM installed in a single package, the ROM connected to the CPU such that the written data of the ROM can be executed by the CPU as a command code, and relates to one chip micro-computer for conducting the test. More particularly, the present invention relates to a test method of one chip micro-computer capable of testing (including a ROM test), no matter when, the internal state of one chip micro-computer which is the target of the present invention while preventing the third party from wrongfully reading the data of the ROM only by adding relatively simple circuits.
2. Description of the Related Art
Conventionally, there has been provided one chip micro-computer (to be referred to as MCU (Micro Controller Unit) hereinafter) having a CPU and a ROM (Read Only Memory), connected to the CPU such that the written data of the ROM can be executed by the CPU as a command code, installed in a single semiconductor chip or a substrate of various type, that is, installed in a single package. The shipping test for an installed ROM is indispensable for such an MCU. It is also necessary to conduct a test (to be referred to as a ROM test hereinafter) for confirming whether or not written data is the same as is written. Due to this, a function to read the data written in the installed ROM to the outside of the MCU is required.
However, if this function is given, there is a possibility that a third party wrongfully reads the written data. To prevent this, as described below, conventionally, restrictions are placed on the reading of written data or written data is indirectly tested without directly reading the written data.
(A1) A non-reversible physical modification is made to the MCU to prevent written data from being read after shipping the MCU. The non-reversible physical modification includes, for example, disconnection of a security fuse.
(A2) Procedures for reading written data are made to be complex or difficult so as to reduce the possibility for any third party to wrongfully read the data. Normally, this is, for example, setting a test mode for a ROM test only when a certain combination of input values of a plurality of certain terminals is given and permitting reading the data. The combination of input values includes an order combination. Japanese Unexamined Patent Publication No. 4-304540 also teaches allowing for the reading of written data if the data written in the installed ROM is compared with reference data from outside and they coincide with each other.
(A3) At the time of testing written data in the installed ROM, the test of judging whether or not the written data is correct is conducted within the MCU without outputting the data to the outside of the MCU and only the judge result is outputted to the outside. This includes, for example, a case of generating the check sum of the test target written data, comparing it to an expected value, judging whether the written data is correct or incorrect and outputting the judge result to the outside.
(A4) As shown in Japanese Unexamined Patent Publication No. 4-304540, permission for reading out data in an EPROM (Erasable and Programmable Read Only Memory) cell array to outside is given only when data inputted with write signal and data from the EPROM cell array are coincided with each other. Therefore, the data in the EPROM cell array is made to be a permission key for reading out the data.
(A5) Japanese Unexamined Patent Publication No. 3-256122 discloses one chip micro-computer which can use an external ROM. Namely, after release of reset, it is judged whether a reset vector which is inputted from outside coincides with a data of the same bit length. If they do not coincide with each other, a single chip mode is set by force. In the single chip mode, MCU operates according to a program installed in an internal ROM. Therefore, wrongful read out of the internal ROM using the external ROM illegally is prevented by setting the single chip mode by force.
The MCU is characterized in that processing having a high degree of freedom can be conducted depending of the program executed by the CPU. However, the prior art A1 to A5 mentioned above do hardly make use of this character. There are some cases where the CPU is not at all made use of during the ROM test and is kept in an inactive state. The prior art A1 to A5 also have the following problems, respectively.
As regards A1, even if there is a suspicion that written data in the installed ROM is defective after shipment, it has a fatal disadvantage in that another ROM test cannot be conducted once the non-reversible physical modification has been made. Furthermore, due to the necessity of special processing of a non-reversible physical modification such as the disconnection of a security fuse after a shipping test, test costs are disadvantageously increased. This is particularly disadvantageous to ASIC (or Application Specific Integrated Circuits) having many types but with small amounts.
As regards A2, whether or not any third party wrongfully reads the data depends on the number of terminals or procedures for use in read operation as described above. There is thus a limit to the security; i.e., the prevention of wrongful reading by the third party. Take an MCU of 100 pins, for example. Normally, so many terminals cannot be used for setting a ROM test mode and therefore a combination of so many input values cannot be conditioned. Since those skilled in the art could have estimated such a combination to a certain extent, there is a possibility that they can succeed in wrongfully reading data after lots of combinations are tried using a high-speed, general purpose integrated circuit tester. Moreover, to improve the security to prevent the wrongfully reading and to ensure the defense against it, a lot of terminals, pins and components are required, resulting in a cost hike. Even if such a defense is ensured, it produces no effect at all once the mechanism is revealed.
Moreover, the prior art A2 has a disadvantage to, for example, MCUs having the same hardware configuration but different from one another in data written in installed ROMs in accordance with purposes of parties who make orders. In this case, the fact that procedures of reading written data in the installed ROMs are the same makes it disadvantageously possible that persons responsible for orders wrongfully read data written in the installed ROMs of others. This occurs in particular to MCUs which are popular and used by a lot of people. That is, it is feared that the security mechanism of the MCU is revealed to a lot of users, with the result that it virtually loses its value.
As regards A3, it has a disadvantage in that there is a limit to test methods and there is a chance that check sums or the like coincide with one another. To reduce the possibility of the coincidence of the check sums, complex check sums are required. To realize it, however, many components are required and costs increase greatly. Furthermore, only the judge results of whether or not defective data exists are outputted to the outside of the MCU and it is impossible to know which written data is defective in the installed ROM or the like. This makes failure analysis disadvantageously difficult.
As regards A4 and A5, it has a disadvantage in that the permission key for reading out the data in the EPROM cell array or setting a single chip mode comprises only one or several byte. Therefore, the permission key may be comprehensively prepared and tried.
For example in A4, although internal data is changed by external data when both data do not coincide with each other, many data may be prepared and tried all. Therefore, security against wrongful read out may not be enough. Further, it seems that writing of known data is permitted all the time. Therefore, wrongful read out may be possible if the third party gives data which coincides with data written by himself.